Networking is one of the most important and complex areas of AWS. Every resource you launch lives inside a network, and understanding how that network is structured is fundamental to designing secure, resilient architectures.
Amazon VPC
A Virtual Private Cloud (VPC) is a logically isolated portion of the AWS network that you control. When you create an AWS account, a default VPC is created in every region.
- Each VPC has a CIDR block (IP address range), e.g.,
10.0.0.0/16 - VPCs span all AZs within a region
- You can have up to 5 VPCs per region (soft limit)
Subnets
A subnet is a range of IP addresses within a VPC, scoped to a single Availability Zone. You divide your VPC into subnets based on access requirements:
Public Subnets
Have a route to an Internet Gateway (IGW). Resources with a public IP can be accessed from the internet. Use for: load balancers, NAT gateways, bastion hosts.
Private Subnets
No direct route to the internet. Resources are not publicly reachable. Use for: application servers, databases, internal microservices.
Internet Gateway and NAT Gateway
- Internet Gateway (IGW): Allows resources in public subnets to communicate with the internet. Attach one per VPC.
- NAT Gateway: Allows resources in private subnets to initiate outbound internet connections (e.g., download packages) without being reachable from the internet. Deployed in a public subnet; private subnets route outbound traffic through it.
Route Tables
Every subnet is associated with a route table that defines where traffic should go:
0.0.0.0/0 → igw-xxx— all traffic goes to the internet (public subnet)0.0.0.0/0 → nat-xxx— all traffic goes through NAT (private subnet)10.0.0.0/16 → local— traffic within the VPC stays local (always present)
Security Groups
Security groups are virtual firewalls that control inbound and outbound traffic at the instance level (EC2, RDS, Lambda in VPC, etc.):
- Stateful: If inbound traffic is allowed, the response is automatically allowed outbound.
- Default: deny all inbound, allow all outbound
- Rules can reference IP ranges or other security group IDs
Inbound Rule: Type=HTTPS, Protocol=TCP, Port=443, Source=0.0.0.0/0
Inbound Rule: Type=SSH, Protocol=TCP, Port=22, Source=10.0.0.0/8Network ACLs (NACLs)
NACLs are additional firewalls at the subnet level:
- Stateless: Inbound and outbound rules are evaluated independently.
- Rules are numbered; evaluated in order (lowest number first).
- Default NACL allows all traffic. Custom NACLs deny all by default.
| Security Group | NACL | |
|---|---|---|
| Level | Instance | Subnet |
| State | Stateful | Stateless |
| Rules | Allow only | Allow and Deny |
| Evaluation | All rules | In order by number |
VPC Peering and Transit Gateway
- VPC Peering: Direct network connection between two VPCs (same or different accounts/regions). Traffic stays on AWS backbone. Not transitive — if A peers B and B peers C, A cannot reach C through B.
- AWS Transit Gateway: Hub-and-spoke model connecting multiple VPCs and on-premises networks through a central gateway. Supports thousands of VPCs. Solves the transitivity problem.
Connecting to On-Premises
- VPN (Site-to-Site): Encrypted tunnel over the internet between your data centre and your VPC. Quick to set up.
- AWS Direct Connect: Dedicated physical fibre connection from your data centre to AWS. Consistent latency and throughput; higher cost. Used for large data transfers and latency-sensitive workloads.
Other Networking Services
- Elastic Load Balancing (ELB): Distributes traffic across multiple EC2 instances, containers, or Lambda functions. ALB (Application), NLB (Network), GLB (Gateway).
- Amazon Route 53: Scalable DNS service with health checking, geo-routing, and latency-based routing.
- Amazon CloudFront: Global CDN. Caches content at 400+ edge locations.
- AWS Global Accelerator: Routes traffic to optimal AWS endpoints via the AWS backbone instead of the public internet.
Next: AWS IAM — how to control who can access which AWS services and resources.